All the cybersecurity tools in the world aren’t going to protect your organization from a fraudster who has succeeded in getting your employee to believe a scam.
It’s no secret that fraudsters have figured out how to trick even the most diligent and well-trained employee into believing that they are dealing with their actual vendor. Once they’ve done that, it’s just a matter of time until banking information is changed and the fraudster runs off with money that was intended for your supplier.
The aftermath of such an event isn’t pretty: bad press, lost jobs, damaged reputations.
Here are three common ways that fraudsters will attempt to trick your employees- and what you should watch out for.
1. A sense of urgency
Be wary of urgency. If someone has created the sense that something related to a payment needs to happen right now, you can almost always guarantee it’s a fraud attempt. Especially if the message seems to come from an internal superior, making it hard for a rank-and-file employee to resist.
Picture this common fraud scenario:
A low to mid-level employee gets an email from the CEO. The CEO needs the employee to wire a payment right away and provides the banking information. An important project is at stake, and they need this money to meet an important deadline.
Now your AP employees might know that to do this would be breaking protocol on the vendor set-up and account verification process, but not wanting to disappoint the CEO they comply and wire the money quickly and without question. Except it’s not the CEO, it’s a cybercriminal. This was a phishing attack, and now the company is out thousands of dollars.
Most employees want to do good work and fix problems quickly. These are great qualities to have – but they can easily be exploited. Especially when in a hurry, mistakes are more likely to be made or red flags missed – just what cybercriminals are banking on (literally!).
Tip: Common phishing attacks don’t always look exactly like the one described above, in fact, they don’t even need to be done by email. Always take precaution with urgent requests- whichever way they arrive. (Read about the latest attack vector – video chats.)
2. Calling the vendor to confirm a change
The right procedures can go a long way to helping employees spot electronic payment fraud before the money walks out the door. Case in point: the verification phone call.
The requirement to validate banking information with a phone call, while time-consuming, has traditionally been a reliable method. You call your vendor on a phone number you know and the vendor confirms the banking info.
Simple, right? Not anymore.
Thanks to the “new norm” of remote work, this calling to verify process is no longer fail-safe and fraudsters have taken note. With so many people working from home, you are likely not reaching the vendor with your outbound phone call. If you leave a message and the vendor calls you back from a different number than you used to call them, you cannot authenticate that number as belonging to the vendor.
Tip: If you cannot get the right person on the phone with an outbound call, and you cannot authenticate the number of the inbound call, then you cannot be certain the call is from the legitimate vendor.
3. The vetting process is bypassed.
Even when there is a process in place for verifying vendor payment change instructions received by email, it’s not going to do an organization an ounce of good if it isn’t followed. Case in point, the city of Peterborough, NH. Their staff failed to follow procedure thee times in four weeks, resulting in the loss of millions of dollars in three separate scams.
Most employees are well-intentioned, and want to do the right things, however in today’s fast-paced business environment they are getting requests from all across the organization to on-board vendors. It is in this chaos that things can go undetected (slight variations in an email address), steps can be skipped (verifying the change) and traditional tried-and-true protocols may no longer be relevant (hello remote working). Given these challenges, it can be next to impossible to guarantee that the person who’s getting paid is actually who they say they are.
Make no mistake – fraudsters are taking full advantage of this known reality.
Tip: Don’t make the mistake of thinking humans are infallible. People are human, and they will make mistakes even if they’re trained to follow company policies. In fact, payment fraud scams are usually the result of human errors or because people weren’t following the controls put in place to prevent fraud.